Unico IDTech Bug Bounty Program

Unico IDTech is pioneering the future of biometric authentication through our advanced liveness detection engine. We're inviting security researchers to help protect millions of digital identities by finding novel ways to bypass our state-of-the-art biometric controls.

Applicability

The Bug Bounty program is now public and open to all security researchers. The following groups are not eligible:

Employees and former employees of Unico IdTech or its subsidiary companies;
First-degree relatives of employees of Unico IdTech or its subsidiaries or affiliates;
Third parties who have access to the Organization's confidential information;

Disclosure Policy

Please do not publicly disclose vulnerabilities until they have been resolved and we have provided explicit consent for disclosure.
Follow HackerOne's disclosure guidelines.

Program Rules

Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
Submit one vulnerability per-report, unless you need to chain vulnerabilities to provide impact.
When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Social engineering (e.g. phishing, vishing, smishing) is prohibited.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
Ask the program team before submitting vulnerabilities on unscoped subdomains
Only interact with accounts you own or with the explicit permission of the account holder.

Structure and Focus of the Program

Our Bug Bounty program is divided into two distinct scopes: Liveness and Web. Each scope targets specific areas of our systems, with a primary focus on testing the security controls associated with the Liveness scope.

Primary Scope - Liveness

For more details, please refer to IDCloud - DevCenter.

Presentation Attack Detection Matrix

Test Type	Success Criteria	Failure Criteria	When to Report
Photo Attack	Engine accepts static image as live	Engine correctly rejects static image	Report if bypass rate >1% over 100 attempts
Video Replay	Engine accepts pre-recorded video	Engine detects temporal inconsistency	Report if bypass successful on 3+ different samples
3D Mask/Model	Engine accepts non-human presentation	Engine detects artificial surface	Report if any high-quality mask achieves >5% success rate
Deepfake	Engine accepts synthetic video stream	Engine detects manipulation artifacts	Report if real-time bypass achieved with <500ms latency

Processing Integrity Matrix

Test Type	Success Criteria	Failure Criteria	When to Report
Memory Manipulation	Modified engine parameters accepted	Tampering detected and rejected	Report if persistence across engine restarts
Template Injection	Artificial template processed as valid	Invalid template detected	Report if bypass work on multiple formats
Timing Attacks	Processing bypass through race condition	Proper sequence validation	Report if reproducible >50% of attempts

Data Flow Integrity Matrix

Test Type	Success Criteria	Failure Criteria	When to Report
Capture Relay	Reused biometric data accepted	Replay detected and blocked	Report if bypass works across sessions
Stream Manipulation	Modified data stream processed as valid	Data integrity check failure	Report if manipulation undetected by engine
Session Hijacking	Authentication state transferred	Session binding enforced	Report if state can be copied between instances

Reporting Liveness Bypasses

Report when the SDK returns a positive liveness result for a presentation attack, following the criteria in the matrices above. Include Transaction ID and Process ID. Our team will validate the full bypass chain including backend verification.

The testing will focus on the biometric SDK, not the wrapper applications. The test applications serve solely to facilitate SDK testing and are out of scope. Vulnerabilities related to the biometric capture and processing engine are in scope, while issues related to the wrapper interface or presentation layer are out of scope.

Report Requirements

When reporting a vulnerability, it is essential to include the Transaction ID and the Process ID of capture.

Useful Links for Testing Liveness

System Requirements:

Web: Modern browser (Chrome, Firefox, Safari, or Edge) with camera access
Android: Physical device with Android 6.0 (API 23) or higher
iOS: Physical device with iOS 14.0 or higher

Web Testing: Web testing can be performed in any modern browser.

Physical Devices Required for Mobile Testing: The mobile applications (Android Native, iOS Native, Android Flutter, and iOS Flutter) DO NOT work on emulators or simulators. You must use physical devices for mobile testing.

Application Expiration (TTL): The mobile applications have a 30-day Time-To-Live (TTL). If the app stops working or shows expiration errors, download and install the latest version from the links above. Web application does not expire.

Recommended Testing Approach: We strongly recommend using the native apps (Android Native and iOS Native) for mobile testing. The native apps offer smoother performance and more direct SDK integration. Flutter apps are provided for convenience but use the native SDKs as a bridge layer.

Secondary Scope - Web

Vulnerability Type	When to Report a Problem
XSS	A simple alert(document.domain) is enough.
RCE	Please only run harmless code. Simply printing something or evaluating an expression should be enough to demonstrate the problem.
SQLi	Please report it as soon as you experience a SQL error that indicates SQL injection or you are able to disclose the SQL server version number.
SSRF	Do not play on any internal networks. Let us know as soon as you believe you have a possible SSRF issue and we will look into it for you.
JWT Tokens Vulnerabilities	Injecting self-signed tokens or breaking authorization controls.
IDOR	Access confidential information from another user/organization or users with greater privileges.
Unrestricted File Upload	Upload a simple shell, a file with an extension or content-type different from those requested.

Using the OWASP Risk Rating Calculator

Using the OWASP Risk Rating calculator will be greatly appreciated.

Session Layer: HTTP Headers

Researchers should add headers to requests such as:

"X-HackerOne-Research: [H1 username]"
"User-Agent: [H1 username]"

Out of Scope Vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

Clickjacking on pages with no sensitive actions
Attacks on authentication tokens without impact (e.g., expiration time).
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms without confidential actions.
Attacks requiring Man-in-the-Middle (MITM) or physical access to a user's device.
Vulnerable libraries previously known without a functional Proof of Concept.
File uploads without impact or execution of malicious code.
Injection of comma-separated values (CSV) without demonstrating a vulnerability.
Lack of best practices in SSL/TLS configuration.
Any activity that could lead to disruption of our service (DoS).
Content spoofing and text injection issues without showing an attack vector/unable to modify HTML/CSS.
Rate limiting or brute force issues on endpoints without authentication.
Lack of best practices in Content Security Policy.
Missing HttpOnly or Secure flags on cookies.
Missing controls (invalid, incomplete, or missing SPF/DKIM/DMARC records, etc.).
Vulnerabilities affecting only users of outdated or unpatched browsers.
Disclosure of software version/Issues with banner identification/Descriptive error messages or headers (e.g., stack traces, application or server errors).
Open redirection - unless an additional security impact can be demonstrated.
Issues requiring unlikely user interaction.
Self-XSS or DOM XSS without clear impact.
Service banner and/or version.
Any bug depending on an outdated browser.
Exposed credentials that are either no longer valid or do not represent a risk to an asset in scope.
Domain/Subdomain takeover.

Rewards

Reward Structure

Severity	Reward
Low	$150–$300
Medium	$500–$2,000
High	$1,250–$5,000
Critical	$3,000–$10,000

[Unico] Liveness Bypass

Low: $300
Medium: $2,000
High: $5,000
Critical: $10,000

Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Unico IDtech.

Safe Harbor

Adheres to Gold Standard Safe Harbor and is fully compliant with Platform Standards.

Unico IDtech

Unico IDtech

Details

Unico IDTech Bug Bounty Program

Applicability

Disclosure Policy

Program Rules

Structure and Focus of the Program

Primary Scope - Liveness

Presentation Attack Detection Matrix

Processing Integrity Matrix

Data Flow Integrity Matrix

Reporting Liveness Bypasses

Report Requirements

Useful Links for Testing Liveness

Secondary Scope - Web

Using the OWASP Risk Rating Calculator

Session Layer: HTTP Headers

Out of Scope Vulnerabilities

Rewards

Reward Structure

[Unico] Liveness Bypass

Safe Harbor

Unico IDTech Bug Bounty Program

Applicability

Disclosure Policy

Program Rules

Structure and Focus of the Program

Primary Scope - Liveness

Presentation Attack Detection Matrix

Processing Integrity Matrix

Data Flow Integrity Matrix

Reporting Liveness Bypasses

Report Requirements

Useful Links for Testing Liveness

Secondary Scope - Web

Using the OWASP Risk Rating Calculator

Session Layer: HTTP Headers

Out of Scope Vulnerabilities

Rewards

Reward Structure

[Unico] Liveness Bypass

Safe Harbor